Social

Follow Us

Month: November 2018

Awareness of blockchain has soared in recent years with the emergence of cryptocurrencies, but the technology has existed for much longer. The linking of blocks, containing cryptographic functions of transactions and data, means that tampering with their contents becomes increasingly difficult as the chain grows – this concept was exploited for document timestamping applications more than a decade before cryptocurrencies became reality. In many implementations, blocks are confirmed by, and stored at, many nodes in different locations, providing a high degree of data integrity. There are, however, many challenges for applying blockchain technologies in tactical networks, particularly due to the constraints of the platforms, the limited bandwidth available among them, and the impact of network partitioning. In this report, the development and principles of blockchains are presented, along with an overview of their weaknesses and vulnerabilities. There is a huge level of interest in this technology across many sectors, and this is reflected in the breadth of the referenced material. Weaknesses in design and implementation can make blockchains vulnerable to attack, and their interfaces are particularly at risk. A range of possible applications in tactical networks is explored, from supply chain management, to network management and application data immutability. Finally, a simple blockchain architecture for mobile tactical networks is developed, to illustrate the potential and challenges of this technology. Overall, it is clear that blockchain technology provides a potential avenue for solving some problems in the tactical network context, but it is not yet clear whether it is the best such solution.

…

The key feature of blockchain technology is data integrity in a trustless environment: transaction or data records included on the blockchain are timestamped, cryptographically protected and stored by many distributed nodes, reducing the risk of total loss. For a sufficiently long blockchain, with a large number of nodes, the records can be considered immutable, in the sense that any tampering will be evident. This integrity can be exploited in different ways to enhance the robustness and resilience of tactical networks, and some of these are discussed in Section 5.1.

Smart contracts, described in Section 3.2, also provide opportunities for robust resource management in tactical networks, particularly in complex operational conditions where many users interact in the electromagnetic (EM) spectrum. Possible applications of blockchain to resource management are discussed in Section 5.2.

Tactical environments pose particular challenges for the introduction of blockchain technology, as devices are constrained in size, weight and power, and there are physical limitations on node connectivity. These challenges are considered in Section 5.3.

An example architecture for applying blockchain technology to support tactical operations is described in Section 5.4, taking into account the opportunities and challenges outlined thus far.

In this section, network nodes are considered to be the devices or platforms connected to the blockchain network; these are not (just) the radio interfaces themselves, but may be auxiliary equipment such as biometric devices, weapons or communication platforms.

…

5.4 Example tactical blockchain architecture

Based on the preceding, we propose an example architecture for a tactical blockchain system. The scenario we consider consists of a unit of dismounted soldiers, each carrying several devices connected on a personal network: a weapon, a radio, a camera, a radio frequency (RF) sensor and a computer (similar to a smart phone), sharing a battery and a memory drive such as a flash card. The soldier is also considered a network component, as they are a source and sink of data, and their identity is confirmed using a networked biometric sensor such as a fingerprint or iris scanner. The other devices may be authenticated using a radio frequency identification (RFID) chip or imaging as described in Section 5.1.4; authentication will only be required if the networked component has been disconnected from the personal network and attempts to rejoin.

We assume that the weapon tracks the ammunition it uses, and records the amount remaining. The camera may be continually recording, but to limit memory usage, only a few seconds before and after the weapon is fired are retained. C2 and other messages, either digital voice or data to and from the computer, all passed via the radio, are recorded for post-action analysis. SA in the form of RF sensor data is sampled periodically, and transferred via the radio to other soldiers in the unit and recorded locally. These different sources of data all use the computer’s memory for storage; both the memory and battery usage are tracked.

We use blockchains to provide authentication and identification management for the soldiers and devices engaged in the operation, an auditing function to track cyber SA and C2, resource usage tracking, and a policy management function, which is used to support resource loading decisions across the unit. As noted in Section 5.3.6, the longer the blockchain, the stronger it is, so all these functions use the same blockchain within their cluster (Section 5.4.1).

This is a simplified scenario, intended to give insight into the potential application of blockchain technology in tactical networks. Note that, as discussed in Section 6, the fact that this technology might be used to address these problems does not mean it is the best choice. Note also that the exchange of transactions and blocks among the users is assumed to be secure.

Like this:

In March 2018, an identified financial services corporation received a thumb drive infected with the bank credential-stealing Qakbot malware variant, targeting information from networked computers and financial institution web sites. The financial services corporation purchased bulk thumb drives from a US online retailer of computer hardware. The thumb drives were originally manufactured in China. According to FBI forensic analysis, the Qakbot malware was on the infected thumb drive before the drive arrived in the United States. Qakbot is extremely persistent and requires removal of all malware from every device. Failure to remove even one node of malware may result in re-infecting previously sanitized systems possibly costing the victim hundreds of thousands of dollars in malware removal and system downtime.

Threat

Qakbot is an information stealing worm—originally discovered in 2007 with a major update in 2017—that propagates through removable drives, network shares, and Web pages. The most common vector of intrusion for Qakbot is malicious attachments to phishing emails. Once executed, Qakbot spreads to other shared folders and uses Server Message Block (SMB) protocol to infect other machines. Qakbot has keylogging capabilities, and is able to propagate across network environments through a single instance within that network. It is capable of remaining on a device through the use of registry keys and by scheduling recurring tasks to run at timed intervals. Every device connected to the network and every piece of removable media which has been attached needs to be scanned for the malware and cleaned of the infection before it can be reconnected. The most recent updates in 2017 allows Qakbot to lock users out of the active directory, preventing them from being able to work. It also deploys malicious executables into network shares, registering them as services.

Cyber actors have the capability to infect devices with malware at nearly any point in the manufacturing process. The FBI has historically seen cases of infection with malware capable of stealing credentials, gathering data on the users of a computer or network, dropping other types of malware, and serving as a “backdoor” into a secure network. It is difficult to know at which point the malware infection occurred or whether the infection was intentional, due to the international nature of hardware manufacturing.

Recommendations

To mitigate the threat of a potentially infected thumb drive, the following measures should be taken at a minimum:

Ensure the use of approved, trusted vendors for hardware purchases.

Scan all hardware, especially removable storage media, on an external system prior to its insertion into a network environment.

For signature-based intrusion detection systems, ensure that the hash value for known Qakbot variants are included. The MD5 value for the variant identified in this PIN was: ff0e3ec80faafd04c9a8b375be77c6b6. This hash value can change, so be prepared to use other advanced detection systems.

Users should protect themselves and organizations by practicing good browsing habits, ensuring they do not respond to or click on unsolicited email, and to not plug unknown USB devices intotheir workstations.

If you don’t have the expertise to properly handle or identify potential cyber threats please seek out an expert who can provide the expertise needed to secure your organization.

Attachments include classified document receipts, memo from William Moss for the record 8/4/93; route slip; letter David Aaron to James Rhoads 7/29/75; letter Aaron to Wilderotter 7/29/75; 2pp. of document lists.

In the 2011 report to Congress on Foreign Spies Stealing U.S. Economic Secrets in Cyberspace, the Office of the National Counterintelligence Executive provided a baseline assessment of the many dangers facing the U.S. research, development, and manufacturing sectors when operating in cyberspace, the pervasive threats posed by foreign intelligence services and other threat actors, and the industries and technologies most likely at risk of espionage. The 2018 report provides additional insight into the most pervasive nation-state threats, and it includes a detailed breakout of the industrial sectors and technologies judged to be of highest interest to threat actors. It also discusses several potentially disruptive threat trends that warrant close attention.

This report focuses on the following issues

Foreign economic and industrial espionage against the United States continues to represent a significant threat to America’s prosperity, security, and competitive advantage. Cyberspace remains a preferred operational domain for a wide range of industrial espionage threat actors, from adversarial nation-states, to commercial enterprises operating under state influence, to sponsored activities conducted by proxy hacker groups. Next-generation technologies, such as Artificial Intelligence (AI) and the Internet-of-Things (IoT) will introduce new vulnerabilities to U.S. networks for which the cybersecurity community remains largely unprepared. Building an effective response will require understanding economic espionage as a worldwide, multi-vector threat to the integrity of the U.S. economy and global trade.

Foreign intelligence services—and threat actors working on their behalf—continue to represent the most persistent and pervasive cyber intelligence threat. China, Russia, and Iran stand out as three of the most capable and active cyber actors tied to economic espionage and the potential theft of U.S. trade secrets and proprietary information. Countries with closer ties to the United States also have conducted cyber espionage to obtain U.S. technology. Despite advances in cybersecurity, cyber espionage continues to offer threat actors a relatively low-cost, high-yield avenue of approach to a wide spectrum of intellectual property.

A range of potentially disruptive threat trends warrant attention. Software supply chain infiltration already threatens the critical infrastructure sector and is poised to threaten other sectors. Meanwhile, new foreign laws and increased risks posed by foreign technology companies due to their ties to host governments, may present U.S. companies with previously unforeseen threats.

Cyber economic espionage is but one facet of the much larger, global economic espionage challenge. We look forward to engaging in the larger public discourse on mitigating the national economic harm caused by these threats.